Critical Infrastructure as a Target

Introduction

Critical infrastructure—the systems that underpin modern society including power grids, water treatment plants, financial systems, and telecommunications networks—has become a primary target for nation-state cyber operations. The convergence of IT and operational technology (OT) has expanded the attack surface, while the potential for physical damage elevates the stakes far beyond data theft.

This section explores the critical infrastructure sectors most at risk, the fundamentals of Industrial Control Systems (ICS) and SCADA networks, the Volt Typhoon campaign of pre-positioning in US infrastructure, and the long-term threat of harvest-now-decrypt-later strategies.

Critical Infrastructure Sectors

Critical infrastructure encompasses sixteen sectors designated by the US Cybersecurity and Infrastructure Security Agency (CISA) as essential to national security, economic stability, and public health. A successful cyberattack on any of these sectors could have cascading effects across society.

Energy, water, and financial services are the most frequently targeted sectors, but telecommunications, healthcare, and transportation infrastructure are increasingly in the crosshairs. The interconnected nature of modern infrastructure means that a disruption in one sector often cascades into others.

• Energy: Power generation, transmission, and distribution systems rely on digitally controlled equipment vulnerable to cyber manipulation
• Water and wastewater: Treatment plants use SCADA systems that often run legacy software without security updates
• Financial services: Banking, payment processing, and stock exchanges are high-value targets for both theft and disruption
• Healthcare: Hospital systems, medical devices, and health data repositories face ransomware and espionage threats

Cascading Failures: When Ukraine's power grid was attacked in 2015 and 2016, the outage affected not just electricity consumers but also water treatment, heating, and communication systems. Critical infrastructure interdependencies mean that a single sector compromise can trigger multi-sector failures.

ICS/SCADA Fundamentals

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems manage physical processes in critical infrastructure. These systems were originally designed for isolated, air-gapped networks with a focus on reliability and safety rather than cybersecurity.

The convergence of IT and OT networks has connected these once-isolated systems to corporate networks and, in many cases, the internet. This connectivity enables remote monitoring and management but also exposes decades-old control systems to modern cyber threats they were never designed to withstand.

Key ICS/SCADA Components

1. PLCs (Programmable Logic Controllers): Hardware devices that directly control physical processes like valve positions, motor speeds, and temperature setpoints
2. HMIs (Human-Machine Interfaces): Operator consoles that display process data and accept commands, often running Windows-based software
3. RTUs (Remote Terminal Units): Field devices that collect sensor data and transmit it to central SCADA systems
4. Historian servers: Databases that record process data for analysis, often bridging the OT-IT network boundary

ICS protocols such as Modbus, DNP3, and OPC were designed without authentication or encryption. Attackers who gain network access to OT systems can directly read sensor data, modify control setpoints, and send commands to physical equipment without needing to bypass any security controls.

Volt Typhoon Pre-Positioning

The Volt Typhoon campaign, attributed to China, represents one of the most concerning nation-state cyber operations disclosed to date. Rather than conducting espionage or theft, Volt Typhoon has been systematically pre-positioning access within US critical infrastructure—establishing persistent footholds that could be used for disruption in a future conflict.

Volt Typhoon uses living-off-the-land (LOTL) techniques almost exclusively, relying on legitimate system tools and commands rather than deploying custom malware. This approach makes detection extremely difficult because the attacker's actions are indistinguishable from normal administrative activity.

• Targets: Communications, energy, water, and transportation infrastructure across the United States
• Techniques: Living-off-the-land binaries (LOLBins), compromised SOHO routers for C2, minimal custom tooling
• Objective: Pre-positioning for potential disruption during a Taiwan Strait conflict scenario
• Duration: Intelligence agencies report access maintained for five or more years in some networks

Strategic Significance: Volt Typhoon represents a shift from cyber espionage to cyber warfare preparation. The pre-positioned access is not being used for intelligence gathering; it is being held in reserve as a potential weapon. This changes the calculus for defenders, who must now hunt for adversaries that are deliberately avoiding any observable activity.

Harvest Now, Decrypt Later

The harvest-now-decrypt-later (HNDL) strategy involves nation-states collecting and storing encrypted data today with the expectation that future quantum computers will be able to break the encryption. This represents a long-term strategic threat to any information that must remain confidential for decades.

Government communications, military plans, intelligence sources and methods, trade secrets, and medical records all fall into the category of data that must remain confidential well beyond the anticipated timeline for quantum computing advancement. Nation-states are already stockpiling encrypted network traffic in anticipation of this capability.

• Data at risk: Anything encrypted with RSA, ECDH, or other quantum-vulnerable algorithms
• Timeline: Cryptographically relevant quantum computers estimated within 10–15 years
• Active collection: Intelligence agencies are believed to be recording encrypted traffic from key networks
• Mitigation: Transition to post-quantum cryptography standards (NIST ML-KEM, ML-DSA) must begin now

Time Pressure: The window for action is closing. Data encrypted today using RSA-2048 may be decrypted within 15 years. If that data must remain confidential for 25 years, the migration to post-quantum cryptography is already overdue. Organizations must begin their cryptographic transition planning immediately.